projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'devel' of master.kernel.org:/home/rmk/linux-2.6-mmc
[deliverable/linux.git] / net / ipv4 / netfilter / ip_conntrack_ftp.c
1 /* FTP extension for IP connection tracking. */
2
3 /* (C) 1999-2001 Paul `Rusty' Russell
4 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10
11 #include <linux/config.h>
12 #include <linux/module.h>
13 #include <linux/netfilter.h>
14 #include <linux/ip.h>
15 #include <linux/ctype.h>
16 #include <net/checksum.h>
17 #include <net/tcp.h>
18
19 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
20 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
21 #include <linux/moduleparam.h>
22
23 MODULE_LICENSE("GPL");
24 MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
25 MODULE_DESCRIPTION("ftp connection tracking helper");
26
27 /* This is slow, but it's simple. --RR */
28 static char *ftp_buffer;
29 static DEFINE_SPINLOCK(ip_ftp_lock);
30
31 #define MAX_PORTS 8
32 static unsigned short ports[MAX_PORTS];
33 static int ports_c;
34 module_param_array(ports, ushort, &ports_c, 0400);
35
36 static int loose;
37 module_param(loose, bool, 0600);
38
39 unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
40 enum ip_conntrack_info ctinfo,
41 enum ip_ct_ftp_type type,
42 unsigned int matchoff,
43 unsigned int matchlen,
44 struct ip_conntrack_expect *exp,
45 u32 *seq);
46 EXPORT_SYMBOL_GPL(ip_nat_ftp_hook);
47
48 #if 0
49 #define DEBUGP printk
50 #else
51 #define DEBUGP(format, args...)
52 #endif
53
54 static int try_rfc959(const char *, size_t, u_int32_t [], char);
55 static int try_eprt(const char *, size_t, u_int32_t [], char);
56 static int try_epsv_response(const char *, size_t, u_int32_t [], char);
57
58 static const struct ftp_search {
59 const char *pattern;
60 size_t plen;
61 char skip;
62 char term;
63 enum ip_ct_ftp_type ftptype;
64 int (*getnum)(const char *, size_t, u_int32_t[], char);
65 } search[IP_CT_DIR_MAX][2] = {
66 [IP_CT_DIR_ORIGINAL] = {
67 {
68 .pattern = "PORT",
69 .plen = sizeof("PORT") - 1,
70 .skip = ' ',
71 .term = '\r',
72 .ftptype = IP_CT_FTP_PORT,
73 .getnum = try_rfc959,
74 },
75 {
76 .pattern = "EPRT",
77 .plen = sizeof("EPRT") - 1,
78 .skip = ' ',
79 .term = '\r',
80 .ftptype = IP_CT_FTP_EPRT,
81 .getnum = try_eprt,
82 },
83 },
84 [IP_CT_DIR_REPLY] = {
85 {
86 .pattern = "227 ",
87 .plen = sizeof("227 ") - 1,
88 .skip = '(',
89 .term = ')',
90 .ftptype = IP_CT_FTP_PASV,
91 .getnum = try_rfc959,
92 },
93 {
94 .pattern = "229 ",
95 .plen = sizeof("229 ") - 1,
96 .skip = '(',
97 .term = ')',
98 .ftptype = IP_CT_FTP_EPSV,
99 .getnum = try_epsv_response,
100 },
101 },
102 };
103
104 static int try_number(const char *data, size_t dlen, u_int32_t array[],
105 int array_size, char sep, char term)
106 {
107 u_int32_t i, len;
108
109 memset(array, 0, sizeof(array[0])*array_size);
110
111 /* Keep data pointing at next char. */
112 for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
113 if (*data >= '0' && *data <= '9') {
114 array[i] = array[i]*10 + *data - '0';
115 }
116 else if (*data == sep)
117 i++;
118 else {
119 /* Unexpected character; true if it's the
120 terminator and we're finished. */
121 if (*data == term && i == array_size - 1)
122 return len;
123
124 DEBUGP("Char %u (got %u nums) `%u' unexpected\n",
125 len, i, *data);
126 return 0;
127 }
128 }
129 DEBUGP("Failed to fill %u numbers separated by %c\n", array_size, sep);
130
131 return 0;
132 }
133
134 /* Returns 0, or length of numbers: 192,168,1,1,5,6 */
135 static int try_rfc959(const char *data, size_t dlen, u_int32_t array[6],
136 char term)
137 {
138 return try_number(data, dlen, array, 6, ',', term);
139 }
140
141 /* Grab port: number up to delimiter */
142 static int get_port(const char *data, int start, size_t dlen, char delim,
143 u_int32_t array[2])
144 {
145 u_int16_t port = 0;
146 int i;
147
148 for (i = start; i < dlen; i++) {
149 /* Finished? */
150 if (data[i] == delim) {
151 if (port == 0)
152 break;
153 array[0] = port >> 8;
154 array[1] = port;
155 return i + 1;
156 }
157 else if (data[i] >= '0' && data[i] <= '9')
158 port = port*10 + data[i] - '0';
159 else /* Some other crap */
160 break;
161 }
162 return 0;
163 }
164
165 /* Returns 0, or length of numbers: |1|132.235.1.2|6275| */
166 static int try_eprt(const char *data, size_t dlen, u_int32_t array[6],
167 char term)
168 {
169 char delim;
170 int length;
171
172 /* First character is delimiter, then "1" for IPv4, then
173 delimiter again. */
174 if (dlen <= 3) return 0;
175 delim = data[0];
176 if (isdigit(delim) || delim < 33 || delim > 126
177 || data[1] != '1' || data[2] != delim)
178 return 0;
179
180 DEBUGP("EPRT: Got |1|!\n");
181 /* Now we have IP address. */
182 length = try_number(data + 3, dlen - 3, array, 4, '.', delim);
183 if (length == 0)
184 return 0;
185
186 DEBUGP("EPRT: Got IP address!\n");
187 /* Start offset includes initial "|1|", and trailing delimiter */
188 return get_port(data, 3 + length + 1, dlen, delim, array+4);
189 }
190
191 /* Returns 0, or length of numbers: |||6446| */
192 static int try_epsv_response(const char *data, size_t dlen, u_int32_t array[6],
193 char term)
194 {
195 char delim;
196
197 /* Three delimiters. */
198 if (dlen <= 3) return 0;
199 delim = data[0];
200 if (isdigit(delim) || delim < 33 || delim > 126
201 || data[1] != delim || data[2] != delim)
202 return 0;
203
204 return get_port(data, 3, dlen, delim, array+4);
205 }
206
207 /* Return 1 for match, 0 for accept, -1 for partial. */
208 static int find_pattern(const char *data, size_t dlen,
209 const char *pattern, size_t plen,
210 char skip, char term,
211 unsigned int *numoff,
212 unsigned int *numlen,
213 u_int32_t array[6],
214 int (*getnum)(const char *, size_t, u_int32_t[], char))
215 {
216 size_t i;
217
218 DEBUGP("find_pattern `%s': dlen = %u\n", pattern, dlen);
219 if (dlen == 0)
220 return 0;
221
222 if (dlen <= plen) {
223 /* Short packet: try for partial? */
224 if (strnicmp(data, pattern, dlen) == 0)
225 return -1;
226 else return 0;
227 }
228
229 if (strnicmp(data, pattern, plen) != 0) {
230 #if 0
231 size_t i;
232
233 DEBUGP("ftp: string mismatch\n");
234 for (i = 0; i < plen; i++) {
235 DEBUGP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
236 i, data[i], data[i],
237 pattern[i], pattern[i]);
238 }
239 #endif
240 return 0;
241 }
242
243 DEBUGP("Pattern matches!\n");
244 /* Now we've found the constant string, try to skip
245 to the 'skip' character */
246 for (i = plen; data[i] != skip; i++)
247 if (i == dlen - 1) return -1;
248
249 /* Skip over the last character */
250 i++;
251
252 DEBUGP("Skipped up to `%c'!\n", skip);
253
254 *numoff = i;
255 *numlen = getnum(data + i, dlen - i, array, term);
256 if (!*numlen)
257 return -1;
258
259 DEBUGP("Match succeeded!\n");
260 return 1;
261 }
262
263 /* Look up to see if we're just after a \n. */
264 static int find_nl_seq(u32 seq, const struct ip_ct_ftp_master *info, int dir)
265 {
266 unsigned int i;
267
268 for (i = 0; i < info->seq_aft_nl_num[dir]; i++)
269 if (info->seq_aft_nl[dir][i] == seq)
270 return 1;
271 return 0;
272 }
273
274 /* We don't update if it's older than what we have. */
275 static void update_nl_seq(u32 nl_seq, struct ip_ct_ftp_master *info, int dir,
276 struct sk_buff *skb)
277 {
278 unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
279
280 /* Look for oldest: if we find exact match, we're done. */
281 for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
282 if (info->seq_aft_nl[dir][i] == nl_seq)
283 return;
284
285 if (oldest == info->seq_aft_nl_num[dir]
286 || before(info->seq_aft_nl[dir][i], oldest))
287 oldest = i;
288 }
289
290 if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
291 info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
292 ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
293 } else if (oldest != NUM_SEQ_TO_REMEMBER) {
294 info->seq_aft_nl[dir][oldest] = nl_seq;
295 ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
296 }
297 }
298
299 static int help(struct sk_buff **pskb,
300 struct ip_conntrack *ct,
301 enum ip_conntrack_info ctinfo)
302 {
303 unsigned int dataoff, datalen;
304 struct tcphdr _tcph, *th;
305 char *fb_ptr;
306 int ret;
307 u32 seq, array[6] = { 0 };
308 int dir = CTINFO2DIR(ctinfo);
309 unsigned int matchlen, matchoff;
310 struct ip_ct_ftp_master *ct_ftp_info = &ct->help.ct_ftp_info;
311 struct ip_conntrack_expect *exp;
312 unsigned int i;
313 int found = 0, ends_in_nl;
314
315 /* Until there's been traffic both ways, don't look in packets. */
316 if (ctinfo != IP_CT_ESTABLISHED
317 && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
318 DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo);
319 return NF_ACCEPT;
320 }
321
322 th = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
323 sizeof(_tcph), &_tcph);
324 if (th == NULL)
325 return NF_ACCEPT;
326
327 dataoff = (*pskb)->nh.iph->ihl*4 + th->doff*4;
328 /* No data? */
329 if (dataoff >= (*pskb)->len) {
330 DEBUGP("ftp: pskblen = %u\n", (*pskb)->len);
331 return NF_ACCEPT;
332 }
333 datalen = (*pskb)->len - dataoff;
334
335 spin_lock_bh(&ip_ftp_lock);
336 fb_ptr = skb_header_pointer(*pskb, dataoff,
337 (*pskb)->len - dataoff, ftp_buffer);
338 BUG_ON(fb_ptr == NULL);
339
340 ends_in_nl = (fb_ptr[datalen - 1] == '\n');
341 seq = ntohl(th->seq) + datalen;
342
343 /* Look up to see if we're just after a \n. */
344 if (!find_nl_seq(ntohl(th->seq), ct_ftp_info, dir)) {
345 /* Now if this ends in \n, update ftp info. */
346 DEBUGP("ip_conntrack_ftp_help: wrong seq pos %s(%u) or %s(%u)\n",
347 ct_ftp_info->seq_aft_nl[0][dir]
348 old_seq_aft_nl_set ? "":"(UNSET) ", old_seq_aft_nl);
349 ret = NF_ACCEPT;
350 goto out_update_nl;
351 }
352
353 /* Initialize IP array to expected address (it's not mentioned
354 in EPSV responses) */
355 array[0] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 24) & 0xFF;
356 array[1] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 16) & 0xFF;
357 array[2] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 8) & 0xFF;
358 array[3] = ntohl(ct->tuplehash[dir].tuple.src.ip) & 0xFF;
359
360 for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
361 found = find_pattern(fb_ptr, (*pskb)->len - dataoff,
362 search[dir][i].pattern,
363 search[dir][i].plen,
364 search[dir][i].skip,
365 search[dir][i].term,
366 &matchoff, &matchlen,
367 array,
368 search[dir][i].getnum);
369 if (found) break;
370 }
371 if (found == -1) {
372 /* We don't usually drop packets. After all, this is
373 connection tracking, not packet filtering.
374 However, it is necessary for accurate tracking in
375 this case. */
376 if (net_ratelimit())
377 printk("conntrack_ftp: partial %s %u+%u\n",
378 search[dir][i].pattern,
379 ntohl(th->seq), datalen);
380 ret = NF_DROP;
381 goto out;
382 } else if (found == 0) { /* No match */
383 ret = NF_ACCEPT;
384 goto out_update_nl;
385 }
386
387 DEBUGP("conntrack_ftp: match `%s' (%u bytes at %u)\n",
388 fb_ptr + matchoff, matchlen, ntohl(th->seq) + matchoff);
389
390 /* Allocate expectation which will be inserted */
391 exp = ip_conntrack_expect_alloc(ct);
392 if (exp == NULL) {
393 ret = NF_DROP;
394 goto out;
395 }
396
397 /* We refer to the reverse direction ("!dir") tuples here,
398 * because we're expecting something in the other direction.
399 * Doesn't matter unless NAT is happening. */
400 exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
401
402 if (htonl((array[0] << 24) | (array[1] << 16) | (array[2] << 8) | array[3])
403 != ct->tuplehash[dir].tuple.src.ip) {
404 /* Enrico Scholz's passive FTP to partially RNAT'd ftp
405 server: it really wants us to connect to a
406 different IP address. Simply don't record it for
407 NAT. */
408 DEBUGP("conntrack_ftp: NOT RECORDING: %u,%u,%u,%u != %u.%u.%u.%u\n",
409 array[0], array[1], array[2], array[3],
410 NIPQUAD(ct->tuplehash[dir].tuple.src.ip));
411
412 /* Thanks to Cristiano Lincoln Mattos
413 <lincoln@cesar.org.br> for reporting this potential
414 problem (DMZ machines opening holes to internal
415 networks, or the packet filter itself). */
416 if (!loose) {
417 ret = NF_ACCEPT;
418 goto out_put_expect;
419 }
420 exp->tuple.dst.ip = htonl((array[0] << 24) | (array[1] << 16)
421 | (array[2] << 8) | array[3]);
422 }
423
424 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
425 exp->tuple.dst.u.tcp.port = htons(array[4] << 8 | array[5]);
426 exp->tuple.src.u.tcp.port = 0; /* Don't care. */
427 exp->tuple.dst.protonum = IPPROTO_TCP;
428 exp->mask = ((struct ip_conntrack_tuple)
429 { { 0xFFFFFFFF, { 0 } },
430 { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
431
432 exp->expectfn = NULL;
433 exp->flags = 0;
434
435 /* Now, NAT might want to mangle the packet, and register the
436 * (possibly changed) expectation itself. */
437 if (ip_nat_ftp_hook)
438 ret = ip_nat_ftp_hook(pskb, ctinfo, search[dir][i].ftptype,
439 matchoff, matchlen, exp, &seq);
440 else {
441 /* Can't expect this? Best to drop packet now. */
442 if (ip_conntrack_expect_related(exp) != 0)
443 ret = NF_DROP;
444 else
445 ret = NF_ACCEPT;
446 }
447
448 out_put_expect:
449 ip_conntrack_expect_put(exp);
450
451 out_update_nl:
452 /* Now if this ends in \n, update ftp info. Seq may have been
453 * adjusted by NAT code. */
454 if (ends_in_nl)
455 update_nl_seq(seq, ct_ftp_info,dir, *pskb);
456 out:
457 spin_unlock_bh(&ip_ftp_lock);
458 return ret;
459 }
460
461 static struct ip_conntrack_helper ftp[MAX_PORTS];
462 static char ftp_names[MAX_PORTS][sizeof("ftp-65535")];
463
464 /* Not __exit: called from init() */
465 static void ip_conntrack_ftp_fini(void)
466 {
467 int i;
468 for (i = 0; i < ports_c; i++) {
469 DEBUGP("ip_ct_ftp: unregistering helper for port %d\n",
470 ports[i]);
471 ip_conntrack_helper_unregister(&ftp[i]);
472 }
473
474 kfree(ftp_buffer);
475 }
476
477 static int __init ip_conntrack_ftp_init(void)
478 {
479 int i, ret;
480 char *tmpname;
481
482 ftp_buffer = kmalloc(65536, GFP_KERNEL);
483 if (!ftp_buffer)
484 return -ENOMEM;
485
486 if (ports_c == 0)
487 ports[ports_c++] = FTP_PORT;
488
489 for (i = 0; i < ports_c; i++) {
490 ftp[i].tuple.src.u.tcp.port = htons(ports[i]);
491 ftp[i].tuple.dst.protonum = IPPROTO_TCP;
492 ftp[i].mask.src.u.tcp.port = 0xFFFF;
493 ftp[i].mask.dst.protonum = 0xFF;
494 ftp[i].max_expected = 1;
495 ftp[i].timeout = 5 * 60; /* 5 minutes */
496 ftp[i].me = THIS_MODULE;
497 ftp[i].help = help;
498
499 tmpname = &ftp_names[i][0];
500 if (ports[i] == FTP_PORT)
501 sprintf(tmpname, "ftp");
502 else
503 sprintf(tmpname, "ftp-%d", ports[i]);
504 ftp[i].name = tmpname;
505
506 DEBUGP("ip_ct_ftp: registering helper for port %d\n",
507 ports[i]);
508 ret = ip_conntrack_helper_register(&ftp[i]);
509
510 if (ret) {
511 ip_conntrack_ftp_fini();
512 return ret;
513 }
514 }
515 return 0;
516 }
517
518 module_init(ip_conntrack_ftp_init);
519 module_exit(ip_conntrack_ftp_fini);
Linux kernel - Deliverables
This page took 0.083603 seconds and 6 git commands to generate.